Use all available ipaddresses as SAN for master nginx

As master node nginx must be acceccible from any network it has and nginx listen on every interface, all IP addresses from them must be used in TLS certificate for proper connection. Change-Id: Ib7121af26fffbe011a616b3ffdabb45dc273c3ce Closes-Bug: #1517893
2016-02-05 16:26:09 +03:00 · 2016-02-05 16:26:09 +03:00 · 7f61fea530
parent 1abcbf3b92
commit 7f61fea530
2 changed files with 9 additions and 1 deletions
--- a/deployment/puppet/nailgun/manifests/nginx.pp
+++ b/deployment/puppet/nailgun/manifests/nginx.pp
@ -58,12 +58,13 @@ class nailgun::nginx(
  }

  if $ssl_enabled {
+    $ips = inline_template('<%= @interfaces.split(",").reject{ |iface| iface =~ /^(lo|docker)/ }.map {|iface| scope.lookupvar("ipaddress_#{iface}")}.compact.join(",") %>')
    openssl::certificate::x509 { 'nginx':
      ensure       => present,
      country      => 'US',
      organization => 'Fuel',
      commonname   => 'fuel.master.local',
-      altnames     => [$nailgun_host],
+      altnames     => union(split($ips, ','), [$nailgun_host]),
      state        => 'California',
      unit         => 'Fuel Deployment Team',
      email        => 'root@fuel.master.local',
--- a/tests/noop/spec/hosts/master/nginx-only_spec.rb
+++ b/tests/noop/spec/hosts/master/nginx-only_spec.rb
@ -3,5 +3,12 @@ require 'shared-examples'
 manifest = 'master/nginx-only.pp'

 describe manifest do
+  shared_examples 'catalog' do
+    let(:facts) do
+      Noop.centos_facts.merge({
+        :interfaces => 'eth0,eth1'
+      })
+    end
+  end
  test_centos manifest
 end